- Oct 2024
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
second beta.
"next version"
-
beta
we decided yesterday to just use the build number and no "beta" anywhere. Please remove "beta" everywhere and use "current version (0.1.17)" or something like that
-
Third party security software must not be installed on the server.
we don't allow any additional software. security software is just one example. please clarify
-
The server must be a physical machine.
please remove this bullet point.. we decided to only limit it to Red Hat compatibility list. VMware for example is on it, so VMware is okay for us
-
Only hardware RAID controllers are supported.
why did you remove the fakeraid statement I had?
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
If you have a redundant network connection, select the plus icon and choose Bond in the drop-down menu.
this is a sub-section of 3
-
create a bootable USB stick
I learned it only yesterday: please add the information to use Balena Etcher https://etcher.balena.io/. Many people use Rufus and that is known to create problems here and there
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Veeam ISO
who approved the term "Veeam ISO"?
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
lso required for security and operating system updates
I just learned that a connection to repository.veeam.com is always needed. We plan to fix that bug in 12.3
-
BMC
BMC (base management controller)
-
storage
RAID[...] (e.g. RAID6 / RAID60)
-
Only internal storage / direct attached storage with a physical RAID controller with write-back cache are supported.
Only internal storage / direct attached storage with hardware RAID controller with write-back cache are supported
-
Only physical RAID controllers are supported.
Only hardware RAID controllers are supported (software RAID / FakeRAID controllers are unsupported)
"hardware" cannot be replaced by "physical". It's a defined term
-
At least 1 additional disk added to a logical volume group with an LVM (Logical Volume Manager).
replace with "At least one additional disk for data (minimum 100GB)"
-
Minimum 16 core CPU.Minimum 64 GB RAM.
can be removed. we decided to stick to the general system requirements to not maintain it in two places
-
12.1.2
let's make 12.2 because 12.1.2 has known vulnerabilties
-
On the Installation Summary of the installation wizard, it is strongly recommended to not enter the Installation Destination step as it can cause errors during the installation. If you click it accidentally, exit the installer and boot from the ISO again
can be removed. this was fixed
-
but a minimum service level
https://www.veeam.com/kb2976 - this is what we have
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Add the server as a hardened repository. For more information, see Adding Hardened Repositories. Once you have finished adding the hardened repository, stop the SSH service.
this is "Adding Hardened Repository ISO to Veeam Backup & Replication". This is not "configuring"
-
The other options in the configurator are optional: Proxy Settings – Configure your http(s) proxy settings.Time Settings – Specify an NTP server with an iburst parameter. Change Hostname – Change the name of the vhradmin user.Change Password – Change the password for the vhradmin user.Reset Time Lock -– Reset the hardened repository immutability lock. For more information, see this Knowledge Base article.Update All – Force a manual DNF update. Reboot – Reboot the hardened repository. SSH will be disabled after a reboot. Shutdown – Shutdown the hardened repository. SSH will be disabled after a shutdown.
please make it a real description of what these settings / options do.
-
generate
and show
-
Ensure that you make note of them.
not needed. it's used only once
-
Network Settings - Configure your network settings. When using the standard configuration, only IPv4 address and DHCP can be used. Advanced configuration adds additional configuration options.
network is usually configured during installation. there is no need to do it again here
-
ISO
remove ISO.
the official term is Veeam Hardened Repository Configurator
-
Login
Log in
-
Rocky Linux Server
Hardened Repository ISO
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Go to the Network & Host Name screen and configure the settings as needed. Select the plus icon and choose Bond in the drop down menu.Specify a name for the connection and the interface.Press Add.Select Ethernet as your connection type and add the device using the drop down menu.Set the bonding mode:Round Robin (if you use EtherChannel without LACP).802.3ad (if you use EtherChannel with LACP).Active-backup (for other configurations).Repeat this process for the second network card.Select IPv4 Settings or IPv6 Settings, depending on your connection. Configure your IP address and DNS. A static IP address should be used if possible. Click Save.Specify a hostname.
let's put this entire section into the network section. otherwise it's confusion. where should I set a hostname?
-
On the Installation Summary step of the installation wizard, add your preferred keyboard layouts and set your time zone as needed (only NTP time server is currently available).
let's split this... Keyboard and time are two different sections
-
choose Bond in the drop down menu
this is only for redundant network connection. I think it also makes sense to describe it for non-redundant networks (just directly set the IP address on the interface)
-
only NTP time server is currently available
NTP and NTS is available. But I think that sentence is wrong here
-
Veeam Rocky Linux Hardened Server
Veeam Hardened Repository ISO
-
Rocky Linux Server
Hardened Repository ISO
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Preparing Rocky Linux Using Veeam Hardened Repository ISO
Preparing Using Veeam Hardened Repository ISO
no Rocky Linux here
-
- Jul 2024
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
emove the user account from the wheel group
I believe we should tell the customer to use a second user. In the blog post, I created an extreme example
-
Remove the user account from the wheel group:
the description should be "add sudo permissions for reboot and shutdown"
we should describe the consequences. I believe for most customers having a second user without administrator permissions is better
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Comment
I don't know, whether we need "comment". all partitions are technically DISA STIG requirements. I would remove that column
-
In the newly opened wizard, select Standard Partition in the drop down menu and add the partitions listed in the table below. Click the plus icon and enter the mount point and the desired size of the partition.
this partitioning scheme is for 100GB disks. for larger disks, the customer can either apply percentage values or just increase /home and /tmp
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Switchport is set to untagged.
I don't think this is a requirement. Where does that come from?
-
-
tw-preview.dev.amust.local tw-preview.dev.amust.local
-
Preparing Red Hat Enterprise Linux (RHEL) Server as Hardened Repository
does it make sense to add DISA STIG to the headline and remove "Server as Hardened Repository" because we are in the Hardened Repository section already
-